Vulnerable despite vulnerability management – these are the challenges you face

Author
Michael Güttinger
Published
30. October 2020

It is given that cyber criminals make use of vulnerabilities to carry out their attacks. This makes it even more important to eliminate them quickly and effectively before they can be exploited by an attacker. Vulnerability management is an important factor in preventing an attack from taking place. However, as is often the case, theory and practice are two very different things. In this article, you can find out the challenges that companies often face and the best way to tackle them.

Vulnerability management is an important aspect of cyber security. Its basic principle is that is impossible for an attack to be launched without there being a vulnerability, which is the ultimate aim of all cyber security measures. This makes sense, doesn't it?

Companies often assume that by implementing a tool, e.g. a vulnerability solution, all their problems will be solved, but as is so often the case, a specific tool or software is not a panacea. You need expertise and the right organisational measures and processes to get the most out of them.

5 challenges that you are bound to be familiar with

Cyber security challenges are part and parcel of everyday life. The same also applies to vulnerability management, but often the real problem cannot be seen at first glance. We will show you five challenges you will certainly be familiar with, below:

  1. Identify who is responsible for resolving vulnerabilities
    With all problems, it is never easy to find “volunteers” to take on the problem. That is why it is particularly important to clearly define which person is responsible for fixing which vulnerability and how that person can eliminate potential dependencies. Depending on the vulnerability, this is difficult and not always easy to attribute, and it is often even more difficult to identify who is responsible for it anyway. Who are the right people to contact?

  2. Acceptance within the company/lack of commitment
    In IT security, acceptance within the company is of great importance in general, but particularly so in vulnerability management. If the people concerned are not able to perceive the direct added value for themselves and the company, there is a drastic drop in motivation, and consequently also in the determination to rapidly close any vulnerabilities.

  3. Complex vulnerability reports
    Everyone knows about these – long, comprehensive and complicated reports where you quickly lose perspective. Being accurate is one thing, being understandable is another. This can quickly be overwhelming and reduce acceptance, particularly with false alarms.

  4. Dubious prioritisation
    Of course, where there are security gaps, patching is a priority. Vulnerability reports help here, but the deluge of information and a large number of vulnerabilities means that they are not always the most effective method to use. This leads not only to frustration but also to more and more questions:
    • Which systems can wait?
    • Which assets are critical?
    • Which vulnerabilities are already being actively exploited and are consequently liable to attack?
    • Which vulnerabilities cannot be exploited because of the existing measures in place?
    If the wrong measures or vulnerabilities are prioritised, the company will not gain significant added value, and the level of acceptance among those involved will also be reduced. Which systems can wait? Which assets are critical?

  5. No overarching view to identify systemic problems and no way to eliminate the cause of vulnerabilities
    Vulnerabilities often repeatedly recur for the same reason, e.g. due to missing patch processes or incorrectly programmed software with constant new vulnerabilities. Sometimes the cause is not identified or dealt with at all. This leads on one hand to frustration for employees, because as soon as the system is vulnerability-free, the next vulnerability crops up. On the other hand, the systems are naturally more susceptible to attack.

Of course, this list is not exhaustive and is specific to each company, but often precisely challenges as these lead to major problems.

How to tackle the challenges of vulnerability management successfully

It is always easier to point out mistakes made than to provide really useful tips. This is why we are providing you with eight tips for use in managing your vulnerabilities.

  1. Define responsibilities
    As has already been mentioned, frequently it is difficult to find the effective cause, as well as the internal people with responsibility or the contact persons. It is important to define exactly who is responsible for rectifying which vulnerability (e.g. based on the system and the level where the vulnerability has occurred). Sometimes it might make sense to appoint a higher-level person to be responsible. In the event of disagreement, this person can or must decide who is responsible for a specific vulnerability.

  2. Actively promote the need for vulnerability management
    One of the pillars of successful cyber security is that both the management and the staff responsible for implementation recognise the need for vulnerability management. For this to be successful, it is important on one hand to actively sell the benefits of successful vulnerability management within the company, and on the other hand to look for pragmatic solutions for individual cases.

  3. Simple reports
    The most important thing about reports is that the different recipients can easily find the information they need. For example, for managers, these include development overtime or an overview of the current risk situation. For staff with responsibility for systems, conversely, they need an overview of their systems and the vulnerabilities found in them.

  4. Prioritise according to simple criteria
    Frequently, there is a tendency to set complex criteria, and way too many of them. Unsurprisingly, this makes it difficult to prioritise. It is better to restrict yourself to simple, but meaningful and manageable criteria. To begin with, for example, this could mean that just critical vulnerabilities are taken into account and the others are simply provided to the responsible parties.

  5. Identify and remedy any systemic problems
    To avoid turning the elimination of vulnerabilities into a Sisyphean task and to prevent the “stone” or vulnerability from repeatedly rolling back down the mountain, the systemic problems also need to be dealt with. Often these issues are known to the various contact persons, but they do not have any means of communicating the issues to the decision-makers or even addressing them directly themselves. For example, a six-monthly report for the management detailing the systemic problems may help. Measures to remedy these problems can then be defined in collaboration with the management.

Vulnerability management – a book with the seven seals?

No, vulnerability management is not like the book with seven seals, it is ambitious and extremely important. A single tool alone is inadequate for effective vulnerability management. As is the case with so many topics, continuous analysis, control and optimisation are key here. We hope that our tips have given you some food for thought to ensure that your vulnerability management is as “invulnerable” as it can be.

What are things looking like in your company? What challenges do you currently face in terms of vulnerability management? Whether you are just starting out or simply want to improve your level of knowledge, our experts have extensive experience and a broad range of expertise and can provide you with optimal support. You can find more information about our offers including Vulnerability Manager as a Service” and our Managed Service here:

InfoGuard Vulnerability Management

Share article